Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target stable
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target stable
* Henri Salo he...@nerv.fi, 2012-02-11, 14:11:
$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/
drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/
drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/
On Sat, Feb 11, 2012 at 01:25:18PM +0100, Jakub Wilk wrote:
* Henri Salo he...@nerv.fi, 2012-02-11, 14:11:
$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/
drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/
On Fri, Feb 10, 2012 at 05:09:13PM +0100, Jakub Wilk wrote:
Package: uzbl
Version: 0.0.0~git.20100403-3
Severity: grave
Tags: security
Justification: user security hole
$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/
forwarded 659379
http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1
thanks
Henri Salo scrisse:
This allows local users to steal cookies (and tamper with them).
Does this security-issue have CVE-identifier? I can request one
from oss-security mailing list if ID hasn't
Processing commands for cont...@bugs.debian.org:
forwarded 659379
http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1
Bug #659379 [uzbl] uzbl: world-readable (and writable!) cookie jar
Set Bug forwarded-to-address to
'http://www.uzbl.org/bugs/index.php?do=detailstask_id
* Luca BRUNO lu...@debian.org, 2012-02-11, 15:33:
+try:
+ # make sure the cookie jar is not world-open
+ perm_mode = os.stat(self.filename).st_mode
+ if (perm_mode (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) 0:
+ os.chmod(self.filename,
Package: uzbl
Version: 0.0.0~git.20100403-3
Severity: grave
Tags: security
Justification: user security hole
$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/
drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/
9 matches
Mail list logo